Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Use Dpapi with Shared Asp.Net Web Host?

Reply
Thread Tools

Use Dpapi with Shared Asp.Net Web Host?

 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      01-24-2005
i wrote a couple of DPAPI tools (extended the ms impl, a command line tool .. and a ASP.NET frontend) - just upload the single aspx file to the server and you can encrypt whatever strings you like with DPAPI...don't forget to secure that page (or better delete it when you are finished)

download:
http://www.leastprivilege.com/PermaL...8-6ff79a60e43f



---
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<(E-Mail Removed)>

Hi.

I'd like to use an encrypted database connection string. I'd also like use
an encrypted set of customer tables with a symmetric algorithm (and a secure
symmetric key) generated by .Net in my sql server database from asp.net
code stored on a shared host asp.net server.

I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
code posted on msdn. The dpapi should enable me to encrypt the connection
string, but the portion of the code that calls the encryption class and
encrypts a given string is a console application.

The article accompanying the code states: "Note that you'll need to run the
console application on the IIS server to generate the encrypted
base-64-encoded string. this is because the EncryptString function
instructs the DPAPI to use the machine-wide key, so the encryption and
ecryption will be valid only on the same machine.

Since this is on a shared host thousands of miles away, and I don't belive
I can run any local console code on it,
does this mean I'm sunk????

Basically I need some secure way of storing my encrypted connection string
and storing
my symmetric encryption key. I know how to write the code to use the keys
and algorithms to encrypt and decrypt things.

I suppose I could hide bits and pieces of the each key
in different places in the code or database and append them together by
hardcoding, but
I believe that that could be discovered???? by dissassembling my code unless
I use a professional obfuscator???.

HELP!

--Insecure in Boston, MA
-->GO PATRIOTS!!!!!!!!!!!!!!!



[microsoft.public.dotnet.framework.aspnet.security]
 
Reply With Quote
 
 
 
 
Phil C.
Guest
Posts: n/a
 
      01-24-2005
Thanks Dominick,

I think this ties in with Svein's last reply regarding creating a dll.
I will download it and try it.

Finding some answers to this question was difficult as I googled
considerably and looked
at a lot of .Net forums, but for some reason no one else seems to have
needed to document the answers.

Phil

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed)...
>i wrote a couple of DPAPI tools (extended the ms impl, a command line tool
>.. and a ASP.NET frontend) - just upload the single aspx file to the server
>and you can encrypt whatever strings you like with DPAPI...don't forget to
>secure that page (or better delete it when you are finished)
>
> download:
> http://www.leastprivilege.com/PermaL...8-6ff79a60e43f
>
>
>
> ---
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>
> nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<(E-Mail Removed)>
>
> Hi.
>
> I'd like to use an encrypted database connection string. I'd also like use
> an encrypted set of customer tables with a symmetric algorithm (and a
> secure
> symmetric key) generated by .Net in my sql server database from asp.net
> code stored on a shared host asp.net server.
>
> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
> code posted on msdn. The dpapi should enable me to encrypt the connection
> string, but the portion of the code that calls the encryption class and
> encrypts a given string is a console application.
>
> The article accompanying the code states: "Note that you'll need to run
> the
> console application on the IIS server to generate the encrypted
> base-64-encoded string. this is because the EncryptString function
> instructs the DPAPI to use the machine-wide key, so the encryption and
> ecryption will be valid only on the same machine.
>
> Since this is on a shared host thousands of miles away, and I don't belive
> I can run any local console code on it,
> does this mean I'm sunk????
>
> Basically I need some secure way of storing my encrypted connection string
> and storing
> my symmetric encryption key. I know how to write the code to use the keys
> and algorithms to encrypt and decrypt things.
>
> I suppose I could hide bits and pieces of the each key
> in different places in the code or database and append them together by
> hardcoding, but
> I believe that that could be discovered???? by dissassembling my code
> unless
> I use a professional obfuscator???.
>
> HELP!
>
> --Insecure in Boston, MA
> -->GO PATRIOTS!!!!!!!!!!!!!!!
>
>
>
> [microsoft.public.dotnet.framework.aspnet.security]



 
Reply With Quote
 
 
 
 
Phil C.
Guest
Posts: n/a
 
      01-24-2005
Dominick,

The download link for your dpapi tools is not functional.
Could you please check the site and your zip file?

Thanks,

Phil



"Phil C." <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Thanks Dominick,
>
> I think this ties in with Svein's last reply regarding creating a dll.
> I will download it and try it.
>
> Finding some answers to this question was difficult as I googled
> considerably and looked
> at a lot of .Net forums, but for some reason no one else seems to have
> needed to document the answers.
>
> Phil
>
> "Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
> wrote in message news:(E-Mail Removed)...
>>i wrote a couple of DPAPI tools (extended the ms impl, a command line tool
>>.. and a ASP.NET frontend) - just upload the single aspx file to the
>>server and you can encrypt whatever strings you like with DPAPI...don't
>>forget to secure that page (or better delete it when you are finished)
>>
>> download:
>> http://www.leastprivilege.com/PermaL...8-6ff79a60e43f
>>
>>
>>
>> ---
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>>
>> nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/<(E-Mail Removed)>
>>
>> Hi.
>>
>> I'd like to use an encrypted database connection string. I'd also like
>> use
>> an encrypted set of customer tables with a symmetric algorithm (and a
>> secure
>> symmetric key) generated by .Net in my sql server database from asp.net
>> code stored on a shared host asp.net server.
>>
>> I've downloaded a set of vb.net code that is a rewrite of the c# dpapi
>> code posted on msdn. The dpapi should enable me to encrypt the connection
>> string, but the portion of the code that calls the encryption class and
>> encrypts a given string is a console application.
>>
>> The article accompanying the code states: "Note that you'll need to run
>> the
>> console application on the IIS server to generate the encrypted
>> base-64-encoded string. this is because the EncryptString function
>> instructs the DPAPI to use the machine-wide key, so the encryption and
>> ecryption will be valid only on the same machine.
>>
>> Since this is on a shared host thousands of miles away, and I don't
>> belive
>> I can run any local console code on it,
>> does this mean I'm sunk????
>>
>> Basically I need some secure way of storing my encrypted connection
>> string
>> and storing
>> my symmetric encryption key. I know how to write the code to use the keys
>> and algorithms to encrypt and decrypt things.
>>
>> I suppose I could hide bits and pieces of the each key
>> in different places in the code or database and append them together by
>> hardcoding, but
>> I believe that that could be discovered???? by dissassembling my code
>> unless
>> I use a professional obfuscator???.
>>
>> HELP!
>>
>> --Insecure in Boston, MA
>> -->GO PATRIOTS!!!!!!!!!!!!!!!
>>
>>
>>
>> [microsoft.public.dotnet.framework.aspnet.security]

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DPAPI - decrypt error: Decryption failed. Key not valid for use in specified state. BigLuzer ASP .Net 1 11-21-2006 04:05 PM
Use RunAs command with NT Authority\Network account for DPAPI Berry at JSO ASP .Net Security 1 05-20-2006 07:42 AM
How do I Use DPAPI to Encrypt and Decrypt Data (C#/VB.NET)? anonieko@hotmail.com ASP .Net Security 0 03-16-2005 11:54 PM
Use Dpapi with Shared Asp.Net Web Host? Phil C. ASP .Net Security 4 01-24-2005 09:28 PM
DPAPI and connection string Kevin Cunningham ASP .Net Security 1 10-16-2003 06:04 PM



Advertisments